Changes proposed to Indian IT Act

By, K K Mookhey

At long last there is news that changes will definitely be made to the Indian IT Act, purportedly due to the latest series of BPO scams. These have ranged from employees leaking out customer information to actually transferring customer money into their own bank accounts. Given the list of changes that are being proposed to be made, I seriously doubt it will make a difference.

First up some of the more Draconian clauses in the Act are being made even more comprehensive and scary. For instance, amendments provide for punishment up to two years and a fine for sending offensive messages through computer or any communication instrument. What’s exactly “offensive” is wide open for intepretation. And also leaves the Act more vulnerable to abuse. In the past, we have seen the powers given to the sub-inspector police officer have allowed them to harass innocent people, simply because someone lodged a case against them.

There’s more yet. Publication of sexually explicit material will attract stringent punishment — imprisonment of up to five years and fine of Rs 10 lakh in case of first offence, and imprisonment of up to seven years and fine up to Rs 10 lakh for second-time offence. I mean the government really needs to get its act together. When they should be going after paedophiles, they’re spending time and effort going after the neighbourhood kid who sends out an MMS clip of the latest film star caught with her pants down.

Besides this, organizations that end up revealing customer data will now be held culpable with civil liability and damages upto Rs. 5 crore (approx US $1.2 million). Unfortunately, this is going to swing both ways. While it might force organizations to secure their data, history has shown us that even the best levels of security are not enough when it comes to insider theft. No matter what level of controls you put in place, a determined insider will quite likely be able to get away with your information. Now, you might be able to detect the theft and take action, but then you’d be the one held responsible. This means lower probability of companies reporting cyber crimes, since they are the ones who will now be in the dock, even if it is some errant employee.

What I do like is that any service provider will be held liable if they leak out information in breach of a lawful contract with their customers. This would put a tab on those telcos, banks and ISP’s who have ostensibly been revealing customer information due to the sheer lack of privacy laws in the country. There is also a section (72, I think) that deals specifically with intrusion of personal privacy of the webcam type.

None of this of course deals with the absymally low rate of conviction, which is obviously due to weak evidence collection methods. The Ministry of IT needs to do something about that first, and then play around with the Act as much as it likes to. No matter how comprehensive the clauses or how stringent the penalties, none of this will make any difference until the conviction rate begins to make sense. Where’s the training to Cyber Crime officials on forensics, and where’s the forensics manual that’s been in the works for half a decade?
For a more in-depth analysis you might also want to read this.



Very nice article!


Good Job.

I would like you to also look at the comments on the proposed amendments available at

The summary of the views here are that the proposed amendments are Criminal friendly and anti IT industry.


Very nice article, definetely there is need of a stronger IT Laws to foster E-Commerce in our country.

Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.